| Version | Supported |
|---|---|
| 1.x | ✅ |
We take the security of SuperApp seriously. If you believe you've found a security vulnerability, please follow these steps:
- Do not open a public GitHub issue
- Email security details to security@superapp.dev
- Include as much information as possible:
- Type of vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
You should receive a response within 48 hours. If not, please follow up.
- We will acknowledge receipt within 2 business days
- We will investigate and provide an estimated timeline for a fix
- We will notify you when the vulnerability is fixed
- We will credit you in the security advisory (if desired)
We follow a 90-day disclosure deadline. We ask that you give us 90 days to address the issue before any public disclosure.
- Multi-tenancy: Tenant ID enforced on every DB query, cross-tenant isolation at repository level
- Authentication: JWT with short-lived access tokens (15min) + refresh token rotation
- Authorization: RBAC with fine-grained permissions (resource:action pattern)
- Data encryption: Passwords hashed with bcrypt, sensitive data encrypted at rest
- Audit logging: All mutating operations logged (immutable, append-only, 90-day retention)
- Feature flags: Admin-only API for flag toggles, tenant-isolated overrides
- Rate limiting: Redis-based sliding window, configurable per endpoint